Malware for iOS? Not Really

Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: